Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32142

CVE-2026-32142: Shopware Information Disclosure Flaw

CVE-2026-32142 is an information disclosure vulnerability in Shopware that exposes license information through the /api/_info/config route. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-32142 Overview

CVE-2026-32142 is an information disclosure vulnerability in Shopware, an open commerce platform used by online merchants worldwide. The /api/_info/config route exposes information about installed licenses without sufficient access controls. An unauthenticated remote attacker can query this endpoint over the network to retrieve license details that should remain private. The flaw is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Shopware has addressed the issue in versions 7.8.1 and 6.10.15.

Critical Impact

Unauthenticated network attackers can enumerate Shopware license information through the exposed /api/_info/config endpoint, aiding reconnaissance against targeted commerce deployments.

Affected Products

  • Shopware versions prior to 7.8.1 on the 7.x branch
  • Shopware versions prior to 6.10.15 on the 6.x branch
  • Shopware open commerce platform deployments exposing the /api/_info/config route

Discovery Timeline

  • 2026-03-12 - CVE-2026-32142 published to NVD
  • 2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-32142

Vulnerability Analysis

The vulnerability resides in the Shopware administrative information API. The /api/_info/config route returns configuration data that includes license-related information. Access controls on this route do not adequately restrict who can read license fields, allowing unauthenticated callers to retrieve data intended for authorized administrators.

The attack requires only network access to the Shopware instance. No user interaction or prior authentication is needed. Exploitation does not impact integrity or availability, but it leaks information that supports further targeting of the affected store.

License data can reveal subscription tiers, plugin entitlements, or instance identifiers. Attackers can use this information to fingerprint deployments, prioritize targets running specific commercial extensions, or correlate instances across reconnaissance campaigns.

Root Cause

The root cause is missing authorization enforcement on the /api/_info/config endpoint. The handler returns license configuration fields without verifying that the requester holds an administrative session or API token. This is a classic [CWE-200] information exposure pattern in which sensitive data is included in a response accessible to a broader audience than intended.

Attack Vector

An attacker sends an HTTP GET request to the /api/_info/config path on a vulnerable Shopware host. The server responds with a JSON payload containing license information. The request can be issued from any network position with reachability to the storefront, including the public internet for internet-facing shops. See the GitHub Security Advisory GHSA-gvmv-9f74-mhwp for vendor technical details.

Detection Methods for CVE-2026-32142

Indicators of Compromise

  • HTTP requests to /api/_info/config originating from unauthenticated or unexpected client IP addresses
  • Repeated GET requests against _info endpoints from scanning infrastructure or anonymizing networks
  • Web server access logs showing successful 200 OK responses to /api/_info/config from non-administrator sessions

Detection Strategies

  • Inspect application and reverse proxy logs for requests to /api/_info/config and compare source addresses against the administrator allowlist
  • Deploy web application firewall (WAF) rules that flag or block unauthenticated access to Shopware _info API routes
  • Correlate scanning bursts targeting commerce platforms with subsequent requests to license disclosure endpoints

Monitoring Recommendations

  • Enable verbose access logging for the Shopware admin API and forward logs to a centralized analytics platform
  • Alert on anomalous request rates or geographic origins hitting /api/_info/* paths
  • Track Shopware version banners in monitoring to confirm patched builds remain deployed across all storefronts

How to Mitigate CVE-2026-32142

Immediate Actions Required

  • Upgrade Shopware 7.x deployments to version 7.8.1 or later
  • Upgrade Shopware 6.x deployments to version 6.10.15 or later
  • Audit web server logs for prior requests to /api/_info/config and assess whether license data was exposed
  • Restrict access to /api/_info/* routes to trusted administrative IP ranges where business requirements allow

Patch Information

Shopware released fixed builds in versions 7.8.1 and 6.10.15. Operators should apply the upstream packages through their standard update workflow. Full remediation details are available in the Shopware GitHub Security Advisory GHSA-gvmv-9f74-mhwp.

Workarounds

  • Block external access to /api/_info/config at the reverse proxy or WAF layer until patches are applied
  • Limit access to the /api/_info/* namespace to authenticated administrator sessions through web server access rules
  • Rotate any license keys or identifiers that may have been exposed before remediation
bash
# Example nginx configuration to restrict the vulnerable route
location = /api/_info/config {
    allow 10.0.0.0/8;       # internal admin network
    deny all;
    proxy_pass http://shopware_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.